Closed GaneshSMC closed 3 weeks ago
@GaneshSMC , we can look into this, but could you clarify why this issue is Critical?
@GaneshSMC Can you clarify what the issue is. Are you saying, you are receiving a violation but expect not to because the code is a test and not source code? If so, have you tried specifying the --target to only include your source files and not your test files?
Hello @jfeingold35 @stephen-carter-at-sf We have submitted our application for a security review. Salesforce initially identified some violations, which we resolved. However, in the latest scan, new violations have emerged that were not previously detected, even though the code remains unchanged. We now need to address these new issues and resubmit our application.
I'm having an Permission set assignment in my test class. On scan run it has been identified as an violation LimitPermissionSetAssignment . I referred this link where i cant able to find my solution https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/LimitPermissionSetAssignment.md. Also referred this https://github.com/forcedotcom/sfdx-scanner/issues/1414
What does LimitPermissionSetAssignment means ? What should i consider before using an permission set assignment in my application so that i don't meet any violations. Got this as description "Ensure that DML operations against PermissionSetAssignment use trusted input." what trusted input refers to here.
Also as per your words If so, have you tried specifying the --target to only include your source files and not your test files? sf scanner run --engine pmd-appexchange --format csv --outfile CodeAnalyzerPmdAppExchange_3.csv --target C:\Users\DELL\HBAVersion2Prod\force-app\main\default\classes2 ran this command with only source code and results we got is 0 violations Does Test class violations are neglected in security review?
You'll have to ask the security team what they require - if the test classes can be skipped during the scan or not. Also, this is one of their rules, so they should be able to respond. Please ask the security review team, and then report back here so that we can close this issue. Thank you.
I just confirmed that for now you can ignore test class based violations here. In the near future we'll have these rules updated for most cases to not mark test classes as vulnerabilities here.
Have you verified this is Salesforce Code Analyzer specific?
Yes
Description
Ensure that DML operations against PermissionSetAssignment use trusted input.
Output / Logs
No response
Steps To Reproduce
1.Ran the below command : sf scanner run --engine pmd-appexchange --format csv --outfile CodeAnalyzerPmdAppExchange.csv --target ./
Expected Behavior
I expect the result should be clear since its a Test class
Operating System
Windows 11
Salesforce CLI Version
@salesforce/cli/2.41.8 win32-x64 node-v20.12.2
Code Analyzer Plugin (@salesforce/sfdx-scanner) Version
@salesforce/sfdx-scanner 3.24.0
Additional Context (Screenshots, Files, etc)
No response
Workaround
No response
Urgency
Critical